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^— I Abstract 

We introduce quantitative usability and security models to guide the design of password 
^ management schemes — systematic strategies to help users create and remember multiple pass- 

words. In the same way that security proofs in cryptography are based on complexity-theoretic 
I assumptions (e.g., hardness of factoring and discrete logarithm), we quantify usability by in- 

troducing usability assumptions. In particular, password management relies on assumptions 
about human memory, e.g., that a user who follows a particular rehearsal schedule will suc- 
cessfully maintain the corresponding memory. These assumptions are informed by research in 
cognitive science and validated through empirical studies. Given rehearsal requirements and 
Mm a user's visitation schedule for each account, we use the total number of extra rehearsals that 

the user would have to do to remember all of his passwords as a measure of the usability of 
the password scheme. We also present a security model which accounts for the complexity of 
, ^ , password management with multiple accounts and associated threats, including online, offline, 

and plaintext password leak attacks. Observing that current password management schemes are 
04 either insecure or unusable, we present Shared Cues — a new scheme in which the underlying 

^ secret is strategically shared across accounts to ensure that most rehearsal requirements are 

satisfied naturally while simultaneously providing strong security. The construction uses the 
I Chinese Remainder Theorem in a non-standard manner to achieve these competing goals. 

in 

Keywords: Password Management Scheme, Security Model, Usability Model, Chinese Re- 
mainder Theorem, Sufficient Rehearsal Assumption, Visitation Schedule 
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1 Introduction 

^ A typical computer user today manages passwords for many different online accounts. Users strug- 

5^ gle with this task — often forgetting their passwords or adopting insecure practices, such as using 

the same password for multiple accounts and selecting weak passwords [351 129} H3l I23j . While 
there are many articles, books, papers and even comics about selecting strong individual passwords 
[23 SZl EH EH E21 EH ESI 12 , there is very little work on password management schemes — systematic 
strategies to help users create and remember multiple passwords — that are both usable and secure. 
In this paper, we present a rigorous treatment of password management schemes. Our contributions 
include a formalization of important aspects of a usable scheme, a quantitative security model, and 
a construction that provably achieves the competing security and usability properties. 
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Usability Challenge. We consider a setting where a user has two types of memory: persistent 
memory (e.g., a sticlcy note or a text file on his computer) and associative memory (e.g., his own 
human memory). We assume that persistent memory is reliable and convenient but not private (i.e., 
accessible to an adversary). In contrast, a user's associative memory is private but lossy — if the 
user does not rehearse a memory it may be forgotten. While our understanding of human memory 
is incomplete, it has been an active area of research [TH] and there are many mathematical models 
of human memory [411 [66l \W[ I63j . These models differ in many details, but they all model an 
associative memory with cue-association pairs: to remember a (e.g., a password) the brain associates 
the memory with a context c (e.g., a public hint or cue); such associations are strengthened by 
rehearsaQ A central challenge in designing usable password schemes is thus to create associations 
that are strong and to maintain them over time through rehearsal. Ideally, we would like the 
rehearsals to be natural, i.e., they should be a side-effect of users' normal online activity. Indeed 
insecure password management practices adopted by users, such as reusing passwords, improve 
usability by increasing the number of times a password is naturally rehearsed as users visit their 
online accounts. 

Security Challenge. Secure password management is not merely a theoretical problem — there 
are numerous real- world examples of password breaches [3l [291 Ell El EH ESI El dOl El HI [TT] . 

Adversaries may crack a weak password in an online attack where they simply visit the online 
account and try as many guesses as the site permits. In many cases (e.g., Zappos, Linkedin, Sony, 
Gawker [THl [HI El El Ell 112] ) an adversary is able to mount an offline attack to crack weak passwords 
after the cryptographic hash of a password is leaked or stolen. To protect against an offline attack, 
users are often advised to pick long passwords that include numbers, special characters and capital 
letters [53]. In other cases even the strongest passwords are compromised via a plaintext password 
leak attack (e.g., [5l[10l[58l[Tl]), for example, because the user fell prey to a phishing attack or signed 
into his account on an infected computer or because of server misconfigurations. Consequently, users 
are typically advised against reusing the same password. A secure password management scheme 
must protect against all these types of breaches. 

Contributions. We precisely define the password management problem in Section [2] A password 
management scheme consists of a generator — a function that outputs a set of public cue-password 
pairs — and a rehearsal schedule. The generator is implemented using a computer program whereas 
the human user is expected to follow the rehearsal schedule for each cue. This division of work is 
critical — the computer program performs tasks that are difficult for human users (e.g., generating 
random bits) whereas the human user's associative memory is used to store passwords since the 
computer's persistent memory is accessible to the adversary. 

Quantifying Usability. In the same way that security proofs in cryptography are based on complexity- 
theoretic assumptions (e.g., hardness of factoring and discrete logarithm), we quantify usability 
by introducing usability assumptions. In particular, password management relies on assumptions 
about human memory, e.g., that a user who follows a particular rehearsal schedule will successfully 
maintain the corresponding memory. These assumptions are informed by research in cognitive sci- 
ence and validated through empirical studies. Given rehearsal requirements and a user's visitation 
schedule for each account, we use the total number of extra rehearsals that the user would have to 

^Physically, the cue-association pair (c, a) might encode the excitement levels of the neurons in the user's brain [13] . 
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do to remember all of his passwords as a measure of the usability of the password scheme (Section 
[3]). Specifically, in our usability analysis, we use the Expanding Rehearsal Assumption (ER) that 
allows for memories to be rehearsed with exponentially decreasing frequency, i.e., rehearse at least 
once in the time-intervals (days) [1,2], [2,4], [4,8] and so on. Few long-term memory experiments 
have been conducted, but ER is consistent with known studies [6OJ. Our memory assumptions 
are parameterized by a constant a which represents the strength of the mnemonic devices used to 
memorize and rehearse a cue-association pair. Strong mnemonic techniques | 59| [37] exploit the as- 
sociative nature of human memory discussed earlier and its remarkable visual/spatial capacity |61j . 

Quantifying Security. We present a game based security model for a password management scheme 
(Section [4]) in the style of exact security definitions [19j. The game is played between a user (JA) and 
a resource-bounded adversary {A) whose goal is to guess one of the user's passwords. Our game 
models three commonly occuring breaches (online attack, offline attack, plaintext password leak 
attack). Specifically, the adversary is allowed to view a limited number of the user's passwords. 
The adversary is then given a limited number of guesses to try and crack one of the user's remaining 
passwords. We propose specific upper bounds on the number of guesses that an adversary will be 
willing to try based on the economic cost of password cracking. 

Our Construction. We present a new password management scheme, which we call Shared Cues, 
and prove that it provides strong security and usability properties (see Section [5]) . Our scheme 
incorporates powerful mnemonic techniques through the use of public cues (e.g., photos) to create 
strong associations. The user first associates a randomly generated person-action-object story (e.g.. 
Bill Gates swallowing a bike) with each public cue. We use the Chinese Remainder Theorem in a 
novel way to balance several competing security and usability goals: 1) Each cue-association pair 
is used by many different web sites (so that most rehearsal requirements are satisfied naturally), 
2) the total number of cue-association pairs that the user has to memorize is low, 3) each web site 
uses several cue-association pairs (so that passwords are secure) and 4) no two web sites share too 
many cues (so that passwords remain secure even after the adversary obtains some of the user's 
other passwords). 

Related Work. A distinctive goal of our work is to quantify usability of password management 
schemes by drawing on ideas from cognitive science and leverage this understanding to design 
schemes with acceptable usability. We view the results of this paper-employing usability assump- 
tions about rehearsal requirements — as an initial step towards this goal. While the mathemati- 
cal constructions start from the usability assumptions, the assumptions themselves are empirically 
testable, e.g., via longitudinal user studies. In contrast, a line of prior work on usability has focused 
on empirical studies of user behavior including their password management habits [35l EU 03] , the 
effects of password composition rules (e.g., requiring numbers and special symbols) on individual 
passwords [32], the memorability of individual system assigned passwords [57J, graphical pass- 
words ^2?! 120] ■ and passwords based on implicit learning [22j. These user studies have been limited 
in duration and scope (e.g., study retention of a single password over a short period of time). Other 
work |24j articulates informal, but more comprehensive, usability criteria for password schemes. 

Our use of cued recall is driven by evidence that it is much easier than pure recall |18j . We also 
exploit the large human capacity for visual memory |61| by using pictures as cues. Prior work on 
graphical passwords [271 120] also takes advantage of these features. However, our work is distinct 
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from the literature on graphical passwords because we address the challenge of managing multiple 
passwords. More generally, usable and secure password management is an excellent problem to 
explore deeper connections between cryptography and cognitive science. 

Security metrics for passwords like (partial) guessing entropy (e.g., how many guesses does the 
adversary need to crack a-fraction of the passwords in a dataset |45| [50l [23] ? how many passwords 
can the advesary break with /3 guesses per account [251?) were designed to analyze the security of 
a dataset of passwords, not the security of a password management scheme. While these metrics 
can provide useful feedback (e.g., they rule out some insecure password management schemes) they 
do not deal with the complexities of securing multiple accounts against an advesary who may have 
gained background knowledge about the user from previous attacks. 



2 Definitions 

We use V to denote the space of possible passwords, and we use A: G /C to denote any knowledge 
that the user has (e.g., birth dates, names of friends, familiar songs). A password management 
scheme needs to generate m passwords pi, ...yPm — one for each account Ai. We also allow the 
password management scheme to store m sets of public cues ci, Cm C C in persistent memory to 
help the user remember each password. Because these cues are stored in persistent memory they 
are always available to the adversary as well as the user. 



Visitation Schedules and Rehearsal Requirements. Each cue c G |Jj q may have a rehearsal 
schedule to ensure that the cue-association pair (c, a) is maintained. 

Definition 1. A rehearsal schedule Rc for a cue-association pair {c,a) is a sequence of times 
< ti < ■■■■ For each i > we have a rehearsal requirment, the cue-association pair must be 
rehearsed at least once during the time window = {x E M |t? < x < if+i}- 

A rehearsal schedule is sufficient if a user can maintain the association (c, a) by following 
the rehearsal schedule. We discuss sufficient rehearsal assumptions in section [Sj and we discuss 
mnemonic techniques in section |F] of the appendix. In particular, the length of each interval 
[ti, ti+i] may depend on the strength of the mnemonic technique used to memorize and rehearse a 
cue-association pair (c, a) as well as i — the number of prior rehearsals. 

A visitation schedule for an account Ai is a sequence of real numbers Tq < r{ < . . ., which 
represent the times when the account Ai is visited by the user. We do not assume that the exact 
visitation schedules are known a priori. Instead we model visitation schedules using a random 



-r* — t' 



the average time between consecutive 
ti, ^i+i] can be satisfied naturally if the user visits 



process with a known parameter Aj based on E 

visits to account A^. A rehearsal requirement 

a site Aj that uses the cue c during the given time window. Formally, 

Definition 2. We say that a rehearsal requirement [t?, is naturally satisfied by a visitation 

schedule Tq < r{ < . . . if3jG [m],k e N s.t c e cj and G . 

If a cue-association pair (c, a) is not rehearsed naturally during the interval [tfjif+i] then the 
user needs to perform an extra rehearsal to maintain the association. 
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We use rehearsal requirements and visitation schedules to quantify the usability of a password 
management scheme by measuring the total number of extra rehearsals. Let 



X. 



t,c 



{i I t^+i < t A Vj, k{ci Cj V tI i {t\, ) } 



Intuitively, Xi^^ denotes the total number of extra rehearsals of the cue-association pair (c, a) 
during the time interval [0, t] (e.g., the number of rehearsal requirements [tf , t\j^-^ with < t that 
are not natuarally satisfied by the visitation schedule). Let C = IJi<m denote the set of all cues 
that a user must remember, then Xt = ^^ec -^tfi total number of extra rehearsals during 

the time interval [0,i]. 

Usability Goal: Minimize the expected value of E [Xt\. 



Password Management Scheme. A password management scheme includes a generator Qm 
and a rehearsal schedule R. The generator Qm (^k, b, )Cj utilizes a user's knowledge k £ IC, random 

bits b £ {0,1}* and the parameters for the visitation schedule A = (Ai,...,Am) of each site to 
generate passwords pi, ■■.,Pm and public cues ci, ...,Cm C C. Because the cues ci,...Cm are public 
they may be stored in persistent memory along with the code for the generator Qm- In contrast, 
the passwords pi, ...pm must be memorized and rehearsed by the user (following R) so that the cue 
association pairs {ci,pi) are maintained in his associative memory. 

Definition 3. A password management scheme is a tuple {Grn,R), where Qm is a function Qm '■ 
K, X {0, 1}* X ^ (P X 2^)"" and a R is a rehearsal schedule which the user must follow for each 
cue. 

Our security analysis is not based on the secrecy of Qm, k or the public cues ci,...,Cm- The 
adversary will be able to find the cues ci, ...,Cm because they are public. In fact, we also assume 
that the adversary has background knowledge about the user (e.g., he may know k), and that the 
adversary knows the password management scheme Qm- The only secret is the random string b 
used by Qm to produce pi, ---iPm- 

Example Password Management Schemes. Most password suggestions are too vague (e.g., "pick 
an obscure phrase that is personally meaningful to you") to satisfy the precise requirements of a 
password management scheme. We consider the following formalization of password managment 
schemes: (1) Reuse Weak — the user selects a random dictionary word w (e.g., from a dictionary of 
20,000 words) and uses pi = w as the password for every account Ai. (2) Reuse Strong — the user 
selects four random dictionary words {wi-, W2, ws^w^) and uses pi = W1W2W3W4, as the password for 
every account Ai. (3) Lifehacker{e-g-, [1]) — The user selects three random words {wi,W2,W3) from 
the dictionary as a base password b = W1W2W3- The user also selects a random derivation rule d to 
derive a string from each account name (e.g., use the first three letters of the account name, use the 
first three vowels in the account name). The password for account Ai is pi = bd{Ai) where d{Ai) 
denotes the derived string. (4) Strong Random and Independent — for each account Ai the user 
selects four fresh words independently at random from the dictionary and uses pi = w\w2W^w\- 
Schemes (l)-(3) are formalizations of popular password management strategies. We argue that they 
are popular because they are easy to use, while the strongly secure scheme Strong Random and 
Independent is unpopular because the user must spend a lot of extra time rehearsing his passwords. 
See appendix [C] for more discussion of the security and usability of each scheme. 
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3 Usability Model 



People typically adopt their password management scheme based on usability considerations instead 
of security considerations [35j. Our usability model can be used to explain why users tend to 
adopt insecure password management schemes like Reuse Weak, Lifehacker, or Reuse Strong. Our 
usability metric measures the extra effort that a user has to spend rehearsing his passwords. Our 
measurement depends on three important factors: rehearsal requirements for each cue (Section [3]), 
visitation rates for each site, and the total number of cues that the user needs to maintain. Our 
main technical result in this section is Theorem [T] — a formula to compute the total number of 
extra rehearsals that a user has to do to maintain all of his passwords for t days. To evaluate the 
formula we need to know the rehearsal requirements for each cue-association pair as well as the 
visitation frequency Aj for each account Ai. 



Rehearsal Requirements. If the password management scheme does not mandate sufficient 
rehearsal then the user might forget his passwords. Few memory studies have attempted to study 
memory retention over long periods of time so we do not know exactly what these rehearsal con- 
straints should look like. While security proofs in cryptography are based on assumptions from 
complexity theory (e.g., hardness of factoring and discrete logarithm), we need to make assump- 
tions about humans. For example, the assumption behind CAPTCHAs is that humans are able to 
perform a simple task like reading garbled text [M]- A rehearsal assumption specifies what types 
of rehearsal constraints are sufficient to maintain a memory. We consider two different assump- 
tions about sufficient rehearsal schedules: Constant Rehearsal Assumption (CR) and Expanding 
Rehearsal Assumption (ER). Because some mnemonic devices are more effective than others (e.g., 
many people have amazing visual and spatial memories |61j ) our assumptions are parameterized by 
a constant a which represents the strength of the mnemonic devices used to memorize and rehearse 
a cue association pair (see section |F] in the appendix for more discussion). 

Constant Rehearsal Assumption (CR): The rehearsal schedule Rc = {icr}^^ is sufficient 
to maintain the association (c, a). 

CR is a pessimistic assumption — it asserts that memories are not permanently strengthened 
by rehearsal. The user must continue rehearsing every a days — even if the user has frequently 
rehearsed the password in the past. 

Expanding Rehearsal Assumption (ER): The rehearsal schedule Rc = {2*°^}°^^ is suffi- 
cient to maintain the association (c, a) . 

ER is more optimistic than CR — it asserts that memories are strengthed by rehearsal so that 
memories need to be rehearsed less and less frequently as time passes. If a password has already 
been rehearsed i times then the user does not have to rehearse again for 2*°" days to satisfy the 
rehearsal requirement [2**^, 2*'^"'"'^] . ER seems more consistent with long term memory experiments 

[601 US]. 



Visitation Schedules. Visitation schedules may vary greatly from person to person. For exam- 
ple, a 2006 survey about Facebook usage showed that 47% of users logged in daily, 22.4% logged in 
about twice a week, 8.6% logged in about once a week, and 12% logged in about once a month p^. 
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Schedule A 
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-1 
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1 
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1 
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1 day 


3 day 


7 day 


31 day 


365 day 


Very Active 


10 


10 


10 


10 


35 


Typical 


5 


10 


10 


10 


40 


Occasional 


2 


10 


20 


20 


23 


Infrequent 





2 


5 


10 


58 



Table 1: Visitation Schedules - number of accounts visited with frequency A 



We use a poisson process with parameter Aj to model the visitation schedule for site At. We assume 
that the value of l/Aj — the average inter-visitation time — is known. For example, some websites 
(e.g., gmail) may be visited daily (Aj = 1/1 day) while other websites (e.g., IRS) may only be visited 
once a year on average (e.g., Xi = 1/365 days). The poisson process has been used to model the 
distribution of requests to a web server [52] . While the poisson process certainly does not perfectly 
model a user's visitation schedule (e.g., visits to the IRS websites may be seasonal) we believe that 
the predictions we derive using this model will still be useful in guiding the development of usable 
password management schemes. While we focus on the poisson arrival process, our analysis could 
be repeated for other random processes. 

We consider four different types of internet users: very active, typical, occasional and infrequent. 
Each user account Ai may be visited daily (e.g., Aj = 1), every three days (Aj = 1/3), every week 
(e.g. Xi = 1/7), monthly (Aj = 1/31), or yearly (Aj = 1/365) on average. See table [l] to see the 
full visitation schedules we define for each type of user. For example, our very active user has 10 
accounts he visits daily and 35 accounts he visits annually. 

Extra Rehearsals. 
Theorem 1. 

ceC i=0 \ \j:cecj J 

where ic* = (argmax^; < t) — 1. 

Theorem [T] follows easily from Lemma [T] and linearity of expectations. Each cue-association 
pair (c, a) is rehearsed naturally whenever the user visits a site which uses the public cue c. Lemma 
[T] makes use of two key properties of poisson processes: (1) The natural rehearsal schedule for a 
cue c is itself a poisson process, and (2) Independent Rehearsals - the probability that a rehearsal 
constraint is satisfied is independent of previous rehearsal constraints. 

Lemma 1. Let Sc = {i \ c £ q} and let Ac = XlieSc then the probability that the cue c is not 
naturally rehearsed during time interval [a, b] is exp (—Ac {b — a)). 

4 Security Model 

In this section we present a game based security model for a password management scheme. The 
game is played between a user (U) and a resource bounded adversary (A) whose goal is to guess one 
of the user's passwords. We demonstrate how to select the parameters of the game by estimating 
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the adversary's amortized cost of guessing. Our security definition is in the style of the exact 
security definitions of Bellare and Rogaway [19j. Previous security metrics (e.g., min-entropy, 
password strength meters) fail to model the full complexity of the password management problem 
(see discussion in the appendix). By contrast, we assume that the adversary knows the user's 
password management scheme and is able to see any public cues. Furthermore, we assume that 
the adversary has background knowledge (e.g., birthdate, hobbies) about the user (formally, the 
adversary is given k G IC). Many breaches occur because the user falsely assumes that certain 
information is private (e.g., birthdate, hobbies, favorite movie) 13 HI] . 

Adversary Attacks. Before introducing our game based security model we consider the attacks 
that an adversary might mount. We group the adversary attacks into three categories: Online 
Attack — the adversary knows the user's ID and attempts to guess the password. The adversary 
will get locked out after s incorrect guesses (strikes). Offline Attack — the adversary learns both 
the cryptographic hash of the user's password and the hash function and can try many guesses. The 
adversary is only limited by the resources that he is willing to invest to crack the user's password. 
Plaintext Password Leak Attack — the adversary directly learns the user's password for an account. 
Once the adversary recovers the password pi the account Ai is compromised. A secure password 
management scheme should prevent the adversary from compromising more accounts. 

We model online and offline attacks using a guess-limited oracle. Let S C [m] be a set of 
indices, each representing an account. A guess-limited oracle Os,q is a blackbox function with the 
following behavior: 1) After q queries Os,q stops answering queries. 2) Vz ^ S, Os,q (iiP) = -L 3) 
Vi e S, Os,q {i-iPi) = 1 and 4) Vi G S^p ^ pi, Os,q (hP) = 0. Intutively, if the adversary steals the 
cryptographic hashes for accounts Ai [i G S), then he can execute an online attack against each of 
these accounts. We also model an online attack against account Ai with the guess-limited oracle 
Ojj} s with s <^ q (e.g., s = 3 models a three-strikes policy in which a user is locked out after three 
incorrect guesses). 

Game Based Definition of Security. Our cryptographic game proceeds as follows: 

Setup: The user U starts with knowledge A; G /C, visitation schedule A G M"^ and a random sequence 

of bits b G {0, 1}*. The user runs Gm (j^,b,X^ to obtain m passwords pi, .■■,Pm and public cues 

ci, ■■■,Cm ^ C for accounts Ai, ...,Am- The adversary A is given k, Qm, A and ci, ...,Cm- 
Plaintext Password Leak Attack: A selects a set S C [m] s.t IS*] < r and receives pi for each i £ S. 
Offline Attack: A selects a set S' C [m] s.t. \S'\ < h, and is given blackbox access to the guess- 
limited offline oracle Os\q- 

Online Attack: For each i G [m] — (S'U S"), the adversary is given blackbox access to the guess- 
limited offline oracle 

Winner: A wins by outputing {j,p), where j G [m] — S and p = Pj- 

We use AdvWins (k,b,X, Qm, A ) to denote the event that the adversary wins. 



Definition 4. We say that a password management scheme Qm is {q, 5, m, s, r, h)-secure if for every 
A; G /C and adversary strategy A we have Prf, 



AdvWins (jt, b, A, Gm, A 



< 6. 



Example: Suppose that a password management scheme is {q$iQ6,10 ^, m, s, 3, l)-secure and 
that the adversary is able to recover r = 3 plaintext passwords Pi,Pj,Pk- Even if the adversary 
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Public Cue 



Private 
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Action: swallowing 



Object: bike 



-19 






19 swallowing + piranha + 



bike + kicking 



(a) PAO Story with Cue 



(b) Account AiQ from Shared Cites(9,10,ll,13). 
Figure 1 



obtains h = 1 cryptographic password hash h{pt) and spends $10^ trying to crack pt he will fail 
with probability at least 1 — 10~^! 



Economics of Parameter Selection. Our guessing limit q is based on the following economic 
observation: the adversary will not spend more than $B trying to crack a password if his benefit 
is at most $B (e.g., the user has at most $B in his bank accounts). We use the upper bound 
qb = $B/Cq, where Cq = %R/ fu denotes the amortized cost per query (e.g., cost of renting ($i?) 
an hour of computing time on Amazon's cloud pj divided by fn — the number of times the 
cryptographic hash function can be evaluated in an hour.) We experimentally estimate fu for 
SHAl, MD5 and BCRYPT[5T] — more details can be found in Appendix [Ej Assuming that the 
BCRYPT password hash function was used to hash the passwords we get qs = B (5.155 x 10^) 
— we also consider cryptographic hash functions like SHAl, MD5 in the appendix. While our 
password management scheme could be adopted by any user — rich or poor — we focus on the 
specific value q$iQ6 = 5.155 x lO^''. 



5 Our Construction 



We present Shared Cues — a novel password management scheme which balances security and 
usability considerations. The key idea is to strategically share cues to make sure that each cue 
is rehearsed frequently while preserving strong security goals. Our construction may be used in 
conjunction with powerful cue-based mnemonic techniques like memory palaces |59] and person- 
action-object stories |37| to increase a — the association strength constant. We use person-action- 
object stories as a concrete example. See Appendix |F| for more discussion. 



Person- Action-Object Stories. A random person-action-object (PAO) story for a person (e.g.. 
Bill Gates) consists of a random action a £ ACT (e.g., swallowing) and a random object o G OBJ 
(e.g., a bike). PAO stories tend to be surprising and interesting because the story is often unexpected 
(e.g.. President Obama kissing a piranha, or Michael Jordan torturing a lion). The cue c G C 
includes the person (e.g., Bill Gates) as well as a picture. The cue c could be selected either with 
the user's input (e.g., use the name of a friend and a favorite photograph) or automatically by the 
password generator. To help the user memorize the story we tell him to imagine the scene taking 
place inside the picture (see Figure la for an example). 
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5.1 Sharing Cues 



Each password might involve multiple cue-association pairs. Let ci,...,Cm ^ C denote the public 
cues for each site and let {ci, ...c„} = UI^i denote the base cues. The key challenge is to share 
base cues in a way that optimizes security and usability considerations. More formally, our goal is to 
construct sets of cues ci, ...Cm ^ C such that 7 = maxj<j<m \ci Cj\ is small, i = minj<m \ci\ is large 
and n — the total number of cue-association pairs that the user has to remember — is small to get 
better usability. To maintain security it is desireable to have i large (so that passwords are strong) 
and 7 small (so that passwords remain strong even after an adversary compromises some of the 
accounts) — see Theoremjsj Shared Cues{ni, . . . , n^) — Algorithmjl] — uses the Chinese Remainder 
Theorem to meet these goals. The Chinese Remainder Theorem has numerous applications in 
cryptography (e.g., faster RSA decryption algorithm [31], secret sharing [UJ). Our application 
of the Chinese Remainder Theorem is different — we use the Chinese Remainder Theorem to 
construct our public cues. The numbers ni, ...,n£ should be coprime so that we can invoke the 
Chinese Remainder Theorem — see Figure [Tb| for an example of SharedCues{9, 10, 11, 13). 

We use two additional tricks in Algorithm 111 to improve usability: (1) Our base cue c consists of 
two pictures and two corresponding people with a label (action/object) for each person (see Figure 



lb). This helps the user to rehearse both PAO stories while entering the same number of words. 
(2) To optimize usability we use GreedyMap (Algorithm [2]) to produce a permutation vr : [m] — t- [m] 
over the public cues — the goal is to minimize the total number of extra rehearsals by ensuring 
that each base cue is used by a frequently visited account. 
Algorithm 1 SharedCues {ni, ...,n£) Qm 

Input: /c € /C, 6, Ai, A^. Rehearsal Schedule R (CR or ER) with association strength constant 
a. Let n = rii + . . . + Ui. 
for i = 1 — )• ^ do 

for j = 1 — )• nj do % Create base cues and PAO stories 

Picture and Person: Pj %Selected by either user or computer. 

Action-Object Story: a) ^ ACT, o) I- OBJ % Uniform Sampling 

for all i G [£], j G [n^] do 

&-*r- {{^''■,'-Act'^,{p'--^-y mod n,' 'O^i')) %Split PAO Stories to optimize usability 

TT GreedyMap {m, Xi, Xm, R,cr) % Permute cues 

for J = 1 — )• m do % Create cue-password pairs 

11 I i 

P'^ij) mod rix'^j+l mod rti ' • • '^j mod n^^j+l mod ng 



C. 



'^{3) 1 j mod n 



l<i< 



return (p^(i), c^(i)) , . . . , (p7r(m), c^(m)) 
User: Rehearses the cue-association p 
Computer: Stores the public cues ci, ...,Cm in persistent memory. 



User: Rehearses the cue-association pairs ( Pj, a*o* ) by following the rehearsal schedule R. 



5.2 Usabihty 

Once we have constructed our public cues ci , . . . , Cm we need to create a mapping vr between cues 
and accounts Ai, Am- Our goal is to minimize the total number of extra rehearsals that the 
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Assumption 


Constant Rehearsal (cr = 1) 


Expanding Rehearsal (cr = 1) 


Schedule / Scheme 


B+D 


SRI 


SC-1 


SC-2 


B+D 


SRI 


SC-1 


SC-2 


Very Active 


^ 


23,396 


1,309 


2,436 


.023 


420 


3.93 


7.54 


Typical 


.014 


24, 545 


3,225 


5,491 


.084 


456.6 


10.89 


19.89 


Occasional 


.05 


24, 652 


9,488 


6,734 


.12 


502.7 


22.07 


34.23 


Infrequent 


56.7 


26,751 


13,214 


18, 764 


1.2 


564 


119.77 


173.92 



Table 2: E [X365]: Extra Rehearsals over the first year for various visitation schedules and password 
management schemes. 

B+D: Lifehacker SRI: Strong Random and Independent 

SC-1: SharedCues {9,10,11,13) SC-2: SharedCues (9,10,11,13,17) 

user has to do to satisfy his rehearsal requirements. Formally, we define the Min-Rehearsal 
problem as follows: Instance: Public Cues Si,...,Sm ^ C, Visitation Schedule Ai,...,Am, a 
rehearsal schedule Rc for each base cue c E UiSi and a timeframe t. Output: A bijective 
mapping vr : {l,...,m} — )• {l,...,m} mapping account Ai to public cue S'7r(i) which minimizes 
E [Xt]. Unfortunately, we can show that Min-Rehearsal is NP-Hard to even approximate within 
a constant factor. Our reduction from Set Cover can be found in appendix |Aj Instead we use 
GreedyMap to produce our permutation vr. 

Theorem 2. R is NP-Hard to approximate Min-Rehearsal within a constant factor. 



Algorithm 2 GreedyMap 



Input: m, Ai, A^, Rehearsal Schedule R (CR or ER) and association strength constant cr 
Relabel: Sort A's s.t Aj > Aj+i for alH < m — 1. 
Initialize: ttq (j) ^ + for j < m, UsedCues 0. 

%7rj denotes a partial mapping [i] — )• [m],for j >i, the mapping is undefined (e.g. 



TTj (j) = +) . Let Sk 
for i = 1 — > m do 

for all j G [m] — UsedCues do 



|pj k = j mod HiV k = j + 1 mod nj| . 



A, 



E 



Xt,p Xp - Ai + E,:Pe5„ 



A, 



E 



t,p 



% Aj : expected reduction in total extra rehearsals if we set 7rj(z) 



VTi {i) ^ 
return tt'^' 



argmaxj Aj, UsedCues ^ UsedCues U {ttj (i)} 



We evaluate usability using the formula from Theorem [T} We present our results for the very 
active, typical, occasional and infrequent internet users under both sufficient rehearsal assumptions 
CR and ER. Table [2] shows the values of E [X^q^] for Lifehacker, Strong Random and Independent, 
Shared Ciies(9,10,ll,13) and Shared CMes(9,10,ll,13,17). We use the same association strength 
constant for each scheme a = 1 — though we expect that a will be higher for schemes like Shared 
Cues that use strong mnemonic techniques. We explore the effect of cr on ii^ [Xt^d in Appendix 
[B} As expected Lifehacker always requires the fewest number of extra rehearsals — this is not 
surprising because there are only n = 4 cues (e.g., three words, one derivation rule) that need 
to be rehearsed and each cue naturally rehearsed whenever the user logs into any account. By 
contrast. Strong Random and Independent has more rehearsal requirements (e.g., four words for 
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each account n = 4 x 75 = 300) , and each rehearsal requirement is less likely to be satisfied naturally 
— even a very active user has many accounts that he visits infrequently. Our scheme Shared 
CMes(9,10,ll,13) requires under four extra rehearsals for the very active user, because we only have 
n = 43 base cues and each cue is frequently rehearsed naturally. For the very active, typical and 
occasional user the number of extra rehearsals required by Shared Cues is quite reasonable (e.g., 
the typical user would need to perform less than one extra rehearsal per month). The benefits 
of Shared Cues are less pronounced for the infrequent user — though the advantage over Strong 
Random and Independent is still significant primarily because there are fewer cues that need to be 
rehearsed. 



5.3 Security 

We first prove that no two public cues in our scheme share too many base cues. Theorem [3] follows 
easily from Lemma [2] 

Lemma 2. Let m < n2 < ■ ■ ■ < ni be pairwise coprime and let u G [£] be a constant. If m < 
711^2. ..n„ then for any i < j < m we have 7 = Iq P| Cj| < u — 1. 

Proof. Suppose for contradiction that |ciP|Cj| > u for i < j < m, then by construction we can 
find u distinct indices ki, ...,ku such that i = j mod n^^ for 1 < t < u. The Chinese Remainder 
Theorem states that there is a unique number < x* < Ylt=i "-fc* such that x* = j mod n^^ for 
1 < t < u. However, we have i < m < n"=i '^fcf Hence, i = x* and by similar reasoning j = x* . 
Contradiction! 

□ 

Examples: Suppose that we select pairwise coprime numbers ni = 5, n2 = 7, 723 = 8, n4 = 9, ns = 
11,71,6 = 13,727 = 17,728 = 19. If the user has tti, < 35 = 5 x 7 accounts then 7 = 1 (e.g., any two 
accounts i < j < 35 share at most 1 common cue), and for m < 280 = 5 x 7 x 8 then 7 = 2. 



Theorem 3. Suppose that m < n7=i then SharedCues {ni, ...,ni) satisfies {q,6,m,s,r,h)- 

<? 

\OBjf-'<'-\ACT\'^ 



security for 6 < ^--yr and any h. 



We assume that ACT {OBJ) contains 140 unique actions (objects), and that the adversary 
is willing to spend at most $10® on password cracking (e.g., q = q%iQfi). Our security guarantees 
for Shared Cues are illustrated in Table [Sj Strong Random and Independent satisfies {q'^iQ6,2>.2 x 
10~^, 772, s, r, /i)-security for any values of r and h — a very strong security gurantee! By contrast, 
Lifehacker does not satisfy {q, 5, m, s, r, 0)-security whenever r > because it is easy for the 
adversary to guess the derivation rule. 

For the special case h = (e.g., the adversary is limited to online attacks) the security guarantees 
of Theorem [3| can be further improved to 5 < ^^^^ ^^t^^^ .g.^r because the adversary is actually 



_ \OBJ\'-""'\ACT\ 
limited to sm guesses. 
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A Missing Proofs 

Reminder of Lemma III Let Sc = {i \ c ^ Cj} and let Ac = X^jg^^ Aj then the probability that the 
cue c is not naturally rehearsed during time interval [a, b] is 

exp (-Ac (6 - a)) . 



Proof of Lemma ^ Let N{t) = ||r^ | i G -Sc A < t} | denote the number of times the cue 
c is rehearsed during the interval [0,t]. Notice that the rehearsal requirement [a,b] is naturally 
satisfied if and only if N{b) — N{a) > 0. N{t) describes a Poisson arrival process with parameter 
Ac = Aj so we can apply standard properties of the Poisson process to get 

Pr [N{b) - N{a) = 0] = exp (-A (6 - a)) . 

□ 

Reminder of Theorem [T], 

ceC i=0 \ \j:c£Cj J J 

where ic* = (argmax^; t^ < t) — 1. 

Proof of Theorem [7| Let Sc = {i \ c ^ Cj} and let Va^b (c) be the indicator for the event that 
3i G Sc, k G N.r| G [a, b] (e.g., cue c is rehearsed naturally during the time interval [a, b]). Then by 
linearity of expectation 

where 

^ [1 - Vu,u^, (c)] = £ exp I - I A, I (t^+i - ) , 

by Lemma [l| The result follows immediately from linearity of expectation. □ 

Reminder of Theorem [2j It is NP-Hard to approximate Min- Rehearsal within a constant 
factor. 

Proof of Theorem Let 7 > be any constant. We prove that it is NP-Hard to even 7- 

approximate Min-Rehearsal. The reduction is from set cover. 
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Set Cover Instance: Sets 5i, 5„ and universe U = \J^Si. A set cover is a set 5 C {1, n} 
such that Uies •S'j = U. 
Question: Is there a set cover of size fc? 

Given a set cover instance, we set C = U create pubhc cues ci, Cm ^ C for each account by 
setting Ci = Si. We set the following visitation schedule 

_ In {-f\U\ (maxcsc i *c)) 
M — 7 

for i = 1, . . . , /c and A^+i, An = 0. There are two cases: (1) There is a set cover 5 = {xi, ■■.,Xk} C 
{1, n} of size k. If we assign 7r{i) = Xi for each i < k then for each base cue c G C/ we have 



Ac — ^ Aj > Ai . 

i:c£Si 



Applying Theorem [T] we get 



< |C| maxz: exp - - tf^ 'L ,c(^ 

< ^m^i*^ exp ^— In ^7 \ U\ ^m^i*^ 



< { maxi" 



cec "J j\U\ (maxc6c«j) 
_ 1 

7 ' 

(2) If there is no set cover of size k. Given a mapping vr we let Sj^ = {i\ 3j < k.ir (j) = i} be 
the set of all public cues visited with frequency at least Ai. Because \St,-\ = k, S-,^ cannot be a set 
cover and there exists some cj G C which is never visited so no rehearsal requirements are satisfied 
naturally. 

cGC i=0 \ i:c&S^(^i-j J i=0 

□ 

Reminder of Theorem [3| Suppose that m < nZ=i then SharedCues {rii, ...,ni) satisfies 
{q, 6, m, s, r, h)-security for 6 < ^Qj^j^e-J^j^cTf-'"' "'^^ "^^^ ^' 

Proof of Theorem Suppose that the adversary recovers the plaintext passwords for accounts 
S C [m], where IS*! < r. Let Ck be the public cue for an uncompromised account Ak (e.g., k ^ S). 
We define 

Uk = Ck- {4 mod n, I e S.j = k mod Ui} , 



18 





A = 0.5 


A = 1 


A = 3 


A = 7 


A = 31 


a=0.1 


0.686669 


2.42166 


5.7746 


7.43555 


8.61931 


a=0.5 


0.216598 


0.827594 


2.75627 


4.73269 


7.54973 


a=l 


0.153986 


0.521866 


1.56788 


2.61413 


4.65353 


a =2 


0.135671 


0.386195 


0.984956 


1.5334 


2.57117 



Table 4: Expanding Rehearsal Assumption: X365,c vs. Ac and a 





A = 0.5 


A = 1 


A = 3 


A = 7 


A = 31 


a=l 


49.5327 


134.644 


262.25 


317.277 


354.382 


a =3 


0.3024 


6.074 


44.8813 


79.4756 


110.747 


a=7 


0.0000 


0.0483297 


5.13951 


19.4976 


42.2872 


a=31 


0.000 


0.0000 


0.0004 


0.1432 


4.4146 



Table 5: Constant Rehearsal Assumption: X-sq5^c vs. Ac and a 

to be the set of all uncompromised base cues in c^. Because each base cue references one random 
action and one random object we can upper bound — the bad even that the adversary A 
guesses {k^pk) in at most q attempts. 



where 



\Uk\ > |cfc| - ^ |cfcP|cj| 

> i — rj , 

by Lemma [2| Similar reasoning applies to other uncompromised accounts. □ 



B Varying the Association Strength Constant 

We use the same association strength constant for each scheme a = 1 — though we expect that a 
will be higher for schemes like Shared Cues that use strong mnemonic techniques. We explore the 
effect of a on E [Xt^d- We explore the effect of <t on ii^ [^t,c] for various values of A. Table [4] shows 
the values E [Xt^d in the expanding rehearsal assumption as o" G {0.1.0.5, 1, 2}. We the visitation 
parameters consider A = 1 (e.g., naturally rehearsed daily), A = 3, A = 7 (e.g., naturally rehearsed 
weekly), A = 31 (e.g., naturally rehearsed monthly). 

Table [5] shows the values E[Xt^c] in the constant rehearsal assumption for a G {1,3,7,31}. If 
(7 = 7 then the cue must be rehearsed every week. 
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C Baseline Password Management Schemes 



In this section we formalize our baseline password management schemes: Reuse Weak (Algorithm 
[3]), Reuse Strong ( Algorithm |4]),Li/e/iacA;er (Algorithm [5]) and Strong Random and Independent (Al- 
gorithm |6]). The first three schemes {Reuse Weak,Reuse Strong, Lifehacker) are easy to use, but 
only satisfy weak security guarantees. Strong Random and Independentprovides very strong security 
guarantees, but is highly difficult to use. 

Vague instructions and strategies do not constitute a password management scheme because it is 
unclear what the resulting distribution over V looks like. When given such vague instructions (e.g., 
"pick a random sentence and use the first letter of each word" ) people tend to behave predictably 
(e.g., picking a popular phrase from a movie or book). For example, when people are required 
to add special symbols to their passwords they tend to use a small set of random symbols and 
add them in predictable places (e.g., end of the password) |l2]. Most password advice provides 
only vague instructions. However, many of these vague strategies can be tweaked to yield formal 
password management schemes. Reuse Weak, Reuse Strong, and Lifehacker are formalizations of 
popular password management strategies. 

Each of these password management schemes inores the visitation schedule Ai, Am- None of 
the schemes use cues explicitly. However, the user always has an implicity cue when he tries to 
login. For example, the implicit cue in Reuse Weak might be "that word that I always use as my 
password." We use four implicit cues for Reuse Strong to represent the use of four separate words 
(chunks |46) ) . These implicit cues are shared accross all accounts — a user rehearses the implicit 
association(s) when he logs into any of his accounts. 

Algorithm 3 Reuse Weak Qm 

Input: Background knowledge k £ IC about the user. Random bits b, Ai, Am- 

$ 

Random Word: w ^ ^20,000- t> Select w uniformly at random from a dictionary of 20,000 
words. 

for i = 1 ^ m do 

Pi ^ w 
Ci {'word'} 
return (pi, ci) , {pm, Cm) 

User: Memorizes and rehearses the cue-association pairs {''word' ,pi) for each account Ai by 
following the rehearsal schedule (e.g., CR or ER). 



Algorithm 4 Reuse Strong Qm 

Input: Background knowledge k £ IC about the user. Random bits b, Ai, ...,Xm- 
for i = 1 — )• 4 do 

$ 

Random Word: Wi ^ -D2o,ooo- 
for i = 1 — )• m do 

Pi ^ W1W2W3W4 
Ci^{{Word',j) lie [4]} 
return (pi,ci) , {pm,Cm) 

User: Memorizes and rehearses the cue-association pairs {{^Word' , j) ,Wj) for each j £ [4] by 
following the rehearsal schedule (e.g., CR or ER). 
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Lifehacker uses a derivation rule to get a different password for each account. There is no explicit 
cue to help the user remember the derivation rule, but the implicit cue (e.g., "that derivation rule 
I always use when I make passwords") is shared accross every account — the user rehearses the 
derivation rule every time he logs into one of his accounts. There are four base cues — three for 
the words, one for the derivation rule. 

Algorithm 5 Lifehacker Qm 

Input: Background knowledge k E JC about the user. Random bits b, Ai, Am. 
for i = 1 — 3 do 

$ 

Random Word: Wi <r- i?20,ooo- 
Derivation Rule: d ^ Unif (DerivRules). t> DerivRules is a set of 50 simple derivation 
rules to map the name of a site Ai to a string d {Ai) (e.g., use the first three consonants of Ai). 
for i = 1 ^ m do 

Pi -(- wiW2W^d {Ai) 

Ci ^ {{'Word',j\ I j G [3]} U {'Rule'} 
return (pi, ci) , (pm, Cm) 

User: Memorizes and rehearses the cue-association pairs {{''Word',j) ,Wj) for each j G [3] and 
{'Rule',d) by following the rehearsal schedule (e.g., CR or ER). 



Strong Random and Independent also uses implicit cues (e.g., the account name Aj), which are 
not shared across accounts so the only way to naturally rehearse the association {Ai,pi) is to visit 
account A^. 

Algorithm 6 Strong Random and Independent Qm 

Input: Background knowledge k E JC about the user. Random bits b, Ai, A^^. 
for i = 1 — )• m do 
for J = 1 — > 4 do 

$ 

Random Word: w^j -D20,ooo- 

Pi ^ w\W2W^^w\ 

Ci^{{Ai,j) \je[4]} 
return (pi, ci) , {pm, Cm) 

User: Memorizes and rehearses the association (^{Ai,j) for each account Ai and j G [4] 
by following the rehearsal schedule (e.g., CR or ER). 



C.l Security Of Baseline Password Management Schemes 

Reuse Weak is not {q$i,5, m, s, 0, l)-secure for any 6 < 1 — an adversary who is only willing to spend 
$1 on password cracking will still be able to crack the user's passwords! While Reuse Weak does 
provide some security guarantees against online attacks they are not very strong. For example. 
Reuse Weak is not even {q$i, .01, 100, 3, 0, 0)-secure because an adversary who executes an online 
attack can succeed in breaking into at least one of the user's 100 accounts with probability at least 
.01 — even if all accounts implement a 3-strike limit. If the adversary recovers any of the user's 
passwords (r > 0) then all security guarantees break down. 
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Reuse Strong is slightly more secure. It satisfies {q$ioa, 3.222 x 10"'^, m, s, 0, m)-security meaning 
that with high probability the adversary who has not been able to recover any of the user's passwords 
will not even be able to mount a sucessful offline attack against against the user. However, Reuse 
Strong is not (g, 5, m, s, 1, 0)-secure — if the adversary is able to recover just one password pi for 
any account Ai then the adversary will be able to compromise all of the user's accounts. 

Lifehacker is supposed to limit the damage of a recovery attack by using a derived string at 
the end of each password. However, in our security model the adversary knows that the user 
used Lifehacker to generate his passwords. The original article [3j instructs users to pick a simple 
derivation rule (e.g., "user ther first three consonants in the site name"). Because this instruction 
is vague we assume that there are a set of 50 derivation rules and that one is selected at random. 
If the adversary sees a password pi = wiW2W^d [Ai] for account Ai then he can immediately infer 
the base password h = wiW2Wz, and the adversary needs at most 50 guesses to discover one of the 
user's password^ — so if (m — l)s > 50 then Lifehacker is not (g, (5, m, s, 1, 0)-secure for any values 
of 5,q. Lifehacker \s {q%iQ6,1.2S^ x 10~^, m, s, 0, m)-secure — it defends against offline and online 
attacks in the absence of recovery attacks. 

Strong Random and Independent is highly secure! It satisfies ((7$io6; 3.222 x 10^"^, m, s, a, m)- 
security for any a < m. This means that even after the adversary learns many of the user's 
passwords he will fail to crack any other password with high probability. Unfortuanately, Strong 
Random is very difficult to use. 

C.2 Usability of Baseline Schemes 

Usability results for Lifehacker and Strong Random and Independent can be found in table [2] of the 
paper. We evaluate usability using the formula from Theorem [T} We present our results for the 
Very Active, Typical, Occasional and Infrequent users under both sufficient rehearsal assumptions 
CR and ER — with association strength a = 1. The usability results for ReuseStrong are identical 
to Lifehacker, because they have the same number of cues and each cue is rehearsed anytime the 
user visits any account Ai. Similarly, the usability results for ReuseWeak are better by a factor of 
4 (e.g., because there is only one cue to rehearse). 

C.3 Sources of Randomness 

Popular password advice tends to be informal — the user is instructed to select a character/number/digit /word, 
but is not told how to do this. Certainly one reason why people do not select random passwords is 
because they worry about forgetting their password [l3]. However, even if the user is told to select 
a the character uniformly at random it is still impossible to make any formal security guarantees 
without understanding the entropy of a humanly generated random sequence. We have difficulty 
consciously generating a random sequence of numbers even when they are not trying to construct 
a memorable sequence [65] [IS] |34j . 

This does not rule out the possibility that human generated random sequence could provide 
a weak source of entropy [IQ] — which could be used to extract a truly random sequence with 
computer assistance [55] I32j . We envision a computer program being used to generate random 
words from a dictionary or random stories (e.g.. Person- Action-Object stories) for the user to 

^In fact the adversary most likely needs far fewer guesses. He can immediately eliminate any derivation rule d s.t. 
d{Ai) 7^ d{Ai). Most likely this will include almost all derivation rules besides the correct one. 
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memorize. The source of randomness could come from the computer itself or it could be extracted 
from a human source (e.g., a user randomly typing on the keyboard). 

D Other Measures of Password Strength 

In this section we discuss other security metrics like entropy, minimum entropy and password 
strength meters. While these metrics can provide useful feedback (e.g., they rule out some insecure 
password management schemes) they are insufficient for our setting (e.g., there exist insecure 
password management schemes which these metrics fail to rule out). Metrics like guessing entropy 
(e.g.. How many guesses does an adversary need to guess all of passwords in a dataset |45j?) and 
partial guessing entropy (e.g.. How many guesses does the adversary need to crack a-fraction of 
the passwords in a dataset [50l [23]? How many passwords can the advesary break with /3 guesses 
per account [22]?) were designed to analyze the security of a dataset of passwords, not the security 
of a password management scheme. These metrics do not consider correlations between a user's 
passwords (e.g.. Is the user reusing the same password?), or adversary background knowledge (e.g.. 
Does the adversary know the user's birthdate or favorite hobbies?). 

D.l Password Strength Meters 

Password strength meters use simple heuristics (e.g., length, character set) to estimate the entropy 
of a password. A password strength meter can provide useful feedback to the user by warning the 
user when he picks passwords that are easy to guess. However, password strength meters can also 
give users a false sense of confidence (e.g., 'mmmmmmmmmmmmmmmmmmmmmmmmmmmm' 
is clearly predictable, but is ranked 'Best' by some meters [2j — see figure [2] [2]). A password like 
Mml IMml !Mml !Mml IMml IMml ! would be rated as very secure by almost any password strength 
meter because it is long, it uses upper case and lower case letters and it includes a special symbol 
(!). However, the password is based on a very simple repeated pattern and has low entropy (e.g., 
it could be compressed easily). A password strength meter cannot guarantee that a password is 
secure because (1) It does not know whether or not the user has already used this password (or a 
very similar password) somewhere else (2) It does not know if the user is basing his password on 
personal knowledge (e.g., wife's birthday) (3) It does not know what background knowledge the 
adversary might have about the user (e.g., does the adversary know the user's wife's birthday). 

Check your password — is it strong? 

Vour online accounts, computer files, and personal information are more secure when you use strong passi^ords to help protect them. 
Test the strength of your passwords: Type a password into the box. 



Strength; 




Figure 2: mmmmmmmmmmmmmmmmmmmmmmmmmmmm: sounds delicious, but is it really a 
strong password? 
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D.2 Entropy 

Entropy [56j can be used to measure the average number of guesses an adversary would need to 
guess a password chosen at random from a distribution D over passwords 



if(«) = EP^[-|0|log.(^) 



While entropy has been a commonly used information theoretic measure of password strength 
[171 W2\ . it is not always a good indicator of password strength [15]. For example, consider the 
following distributions over binary passwords Di and D,: 



Di (n) 



1" ^ with probability 1/2, 

G {0, l}2'^-2 with probability 2-2"+i. 

D2 {n)=xe {0, 1}" with probability 2"" . 
While there is no difference in the entropy of both generators 

H {D, (n)) = \ log, (^) + ^ 2-^"+i log, (22-1) ^ 1 + 2n_l ^ ^ ^ ^ ^^^^ ^ 

Z?! and D2 are by no means equivalent from a security standpoint! After just one guess an adversary 
can successfully recover the password generated by Di with probability > ^! By contrast an 
adversary would need at least 2""^ guesses to recover the password generated by D2 with probability 

>\- 

D.3 Minimum Entropy 

If we instead consider the minimum entropy 

Hmm {G) = min log, 

X 

of both generators we get a different story. 



1 



Pr [x\ G] 



Hmin {Di (n)) = log, {Jj^ = 1 « F^in (n)) = log, (2") = n . 

High minimum entropy guarantees with high probability any adversary will fail to guess the pass- 
word even after many guesses. However, even minimum entropy is not a great measure of security 
when the user is managing multiple passwords because it does not consider correlations between 
passwords. Suppose for example that each user needs two passwords (xi,a;,) and again consider 
two password distributions Di and D2 redefined below: 

Di (n) = {x, x) with probability 2"^" for each x G {0, 1}^" . 



D2 (n) = with probability 2-^" for each (xi,x,) G {0, 1}" x {0, 1}" . 

The min-entropy of both generators is the same (2n). However, Di provides no security guaran- 
tees against a recovery attack — any adversary who knows x, can immediately guess xi. However, 
when the passwords are chosen from D, an adversary who knows X2 has no advantage in guessing 

Xi. 



24 



Benefit (B) 


BCRYPT 


MD5 


SHAl 


IB 


B (5.155 X 10^) 


B (9.1 X 10^) 


B X 10^" 



Table 6: Upper Bound: qs for BCRYPT, MD5 and SHAl 



E Economics 

In this section we discuss how the parameter qs - our upper bound on the total number of adversary 
guesses - could be selected. Our upper bound is based on the economic cost of guessing. Guessing is 
not free! The basic premise is that the adversary will not try more than q^^ guesses to break into an 
account if his maximum benefit from the attack is %B. The cost of guessing is influenced by several 
factors including the cost of renting or buying computing equipment (e.g., Cray, CPUs), the cost 
of electicity to run the computers and the complexity of the cryptographic hash function used to 
encrypt the password. The value of q%B depends greatly on the specific choice of the cryptographic 
hash function. Table [6] shows the values of q%B we computed for the BCRYPT, SHAl and MD5 
hash functions. 

E.l Password Storage 

There are many cryptographic hash functions that a company might use (e.g., MD5, SHAl, SHA2, 
BCRYPT) to store passwords. Some hash functions like BCRYPT |51| were designed specifically 
with passwords in mind — BCRYPT was intentionally designed to be slow to compute (e.g., to 
limit the power of an adversary's offline attack). The BCRYPT hash function takes a parameter 
which allows the programmer to specify how slow the hash computation should be — we used 
L12 in our experiments. By contrast, MD5, SHAl and SHA2 were designed for fast hardware 
computation. Unfortunately, SHAl and MD5 are more commonly used to hash passwords pEj. In 
economic terms, hash functions like BCRYPT increase the adversary's cost of guessing. We use 
Fh to denote number of times that the hash function H can be computed in one hour on a 1 GHz 
processor. We estimated Fh experimentally on a Dell Optiplex 960 computer for BCRYPT, MD5 
and SHAl (table [7]) — as expected the value of Fjj is much lower for BCRYPTY than SHAl and 
MD5. 

The rainbow table attack can be used to significantly speed up password cracking attempts after 
the adversary performs some precomputation |49j . Rainbow table attacks can be prevented by a 
practice known as password salting (e.g., instead of storing the cryptographic hash of the password 
h{p) the a server stores {h (p, r) , r) for a random string r) |15j . 

Note: , In reality, many companies do not salt their passwords jl21[9] (in fact some do not even hash 
them |S|). In this paper, we assume that passwords are stored properly (e.g., salted and hashed), 
and we use optimistic estimates for based on the BCRYPT hash function. To justify these 
decisions we observe that a user could easily ensure that his passwords are salted and encrypted 
with a slow hash function / (e.g., BCRYPT [51]) by using / {U,Ai,pi) as his password for account 
i - where U is the username and Ai is the name of account i. Because the function / is not a secret, 
its code could be stored locally on any machine being used or publically on the cloud. 
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Hash Function 
SHAl 
MD5 
BCRYPT (L12) 



Fh 

576 X 10^ guesses per hour 
561 X 10^ guesses per hour 
^ 31 X 10^ guesses per hour 



$1 X 10-1° 
$1.1 X 10^1° 
$1.94 X 10-5 



Table 7: Guessing Costs 



E.2 Attack Cost and Benefit 

Suppose that company Ai is hacked, and that the usernames and password hashes are stolen by an 
adversary. We will assume that company A has been following good password storage practices (e.g., 
company Ai hashes all of their passwords with a strong cryptographic hash function, and company 
Ai salts all of their password hashes). The adversary can purchase any computing equipment 
he desires (e.g., Cray supercomputer, CPUs, etc) and run any password cracker he wants for as 
long as he wants. The adversarys primary limitation is money. It costs money to buy all of this 
equipment, and it costs money to run the equipment. If the adversary dedicates equipment to run 
a password cracker for several years then the equipment may be obsolete by the time he is finished 
(depreciation). We define Cg to be the amortized cost per guesses for the adversary. 

E.3 Cost of Guessing 

Included in the amortized guessing cost are: the price of electricity and the cost of equipment. 
We estimate Cg by assuming that the adversary rents computing time on Amazon's cloud EC2 
[1]. This allows us to easily account for factors like energy costs, equipment failure and equipment 
depreciation. Amazon measures rented computing power in ECUs |1J — "One EC2 Compute 
Unit (ECU) provides the equivalent CPU capacity of a 1.0-1.2 GHz 2007 Opteron or 2007 Xeon 
processor." We use CgHz to denote the cost of renting a 1 GHz processor for 1 hour on Amazon. 
We have 

Using the Cluster GPU Instance rental option the adversary could rent 33.5 ECU compute units 
for $2.10 per hour ( Cghz = $-06). 

Our results are presented in table [7j 

E.4 Benefit 

The benefit Bj of cracking an account Aj is dependent on both the type of account (e.g., banking, 
e-mail, commerce, social network, leisure) and the adversarys background knowledge about the 
user (e.g.. Does the user reuse passwords? Is the user rich? Is the user a celebrity?). 

Password reuse has a tremedous impact on B. An adversary who cracked a user's ESPN 
account would likely get little benefit — unless the user reused the password elsewhere. For most 
non-celebrities, Bj can be upper bounded by the total amount of money that the user has in 
all of his financial accounts. In fact, this may be a significant overestimate — even if the user 
reuses passwords — because banks are usually successful in reversing large fraudulent transfers [36] . 
Indeed, most cracked passwords sell for between $4 and $17 on the black market |.38j . An adversary 
might also benefit by exploiting the user's social connections (e.g., tricking the user's friends to wire 
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Hash Function 

SHAl 

MD5 
BCRYPT (L12) 



Q'Sl.OOO.OOO 
1016 

9.1 X 10^^ 

5.2 X 10^° 



Table 8: g$i noo,ooo 





(b) c' - context when the user at- 
(a) c - context when a memory a tempts to recaU the memory a 
is stored later 



Figure 3: Context Changes Over Time 



money). Some user's passwords may also be valuable because have access to valuable information 
(e.g., celebrity gossip, trade secrets). 

Most users should be safely assume that no adversary will spend more than $1,000,000 to crack 
their account even if they reuse passwords. Table |8] shows the value of 9$i,ooo,ooo for various hash 
functions. 



F Associative Memory Models and Mnemonic Techniques 

We are interested in password management schemes which can be implemented on "human hard- 
ware" . Human memory is different from persistant memory on a computer — we routinely confuse 
or forget information we used to know. Furthermore, our understanding of human memory is 
incomplete — though it has been an active area of research [T8]. There are many mathematical 
models of human memory [66l [161 [63] — each with its own merits and flaws. While each of 
these models are different they all model an associative memory with cue-association pairs. We use 
a simplified version of Marr's associative memory model [H] to extract intuitions about mnemonic 
techniques. Our analysis and conclusions — that the use strong mnemonic techniques significantly 
decreases the chance of forgetting — are similar to those of Eich [33j . 

A memory trace might be described as a mathematical vector a G M" — the vector a might 
encode the excitement levels of n neurons in the user's brain. To remember a the brain associates 
the memory with a context c S M" — which represents the state of the user's brain when the 
association is made. This context c G M" may be influenced by many factors such as the user's 
visual surroundings (e.g., the web site the user is looking at), the user's auditory environment (e.g., 
music that the user is listening to) or pressing tasks that the user has to do (e.g., study for the test 



tomorrow). See figure 3a) for an illustration. 



A n X n dimensional matrix M E 7^"X" used store the associations between contexts and 
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memories — physically M might encode the strength of the synapses connecting each neuron [33] . 
Our simplified memory model supports two operations Link (, ) and Recall (). Link (c, a) creates 
the association between the context c and the memory a. Formally, Link (c, a) updates M in the 
following way 

M ^ c(g) a + M , 

where (8> denotes the outer product. Of course the user may have multiple associations to store in 
his memory. We let {ct,at) denote the t'th association, then 

t 

Mt = Y^ {ci ^ ai) , 
1=0 

represents the state of the user's brain after memorizing the associations (q, Oj) for i <t. Recall [c) 
attempts to recover the association a by computing a = cM. Notice that the association between 
a and c can be strengthed by executing Link (c, a) multiple times (e.g., rehearsing). 

In this model the two primary causes of forgetting are Context Change and Interference. 

1. Context Change: The original context c might have changed by the time the user attempts 
to recall a memory (e.g., the user might be listening to different music and might have a 
different "to do" list). While a memory trace can be retrieved from a context which is 
similar to c [66j, memory performance quickly fades as the context becomes less similar. 

2. Interference: If another memory a' is associated with the context c (or a context similar 
to c) then these memory traces may interfere with each other. 

Suppose for example that c = e + r is the context when a memory was stored (where f is a 
random vector) and that e is the context when the user tries to retrieve the memory. If the context 
e has not been used to store other associations then 

Recall (e) = eM = \\e\\a + Noise . 

We say that A;||e|| represents the strength of the association between e and a the association 
has been rehearsed k times. By picking interesting cues the user can ensure that ||e|| is large (e.g., 
the contexts e are c are similar) so that the association between e and a can be strengthened with 
fewer rehearsals. 

F.l Other Mnemonic Schemes 

Memory champions use mnemonic techniques like the method of loci to ensure that the retrieval 
context c' is as similar to the original context as possible. To memorize a list of items the memory 
champion will mentally walk through a familiar location and mentally store the items along the 
route. To remember the list the memory champion mentally walks down the same path to recover 
the original context. To avoid interference memory champions never reuse the same memory palace 
during a competition — instead they have hundreds of memory palaces and they spend time 
mentally 'clearing' the memory palaces before a competition. Preparing memory palaces is a time 
consuming process. However, a user can achieve a similar results by selecting photo(s) that are 
interesting to him, and associating random words with a photo c G C. The cue c £ C can be stored 
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publicly so that the user does not have to remember it — whereas the memory champion must 
remember how to walk through each memory palace. 

We illustrated the concept of public cues using person-action-object stories with pictures as 
public cues. However, our technique is not limited to this one mnemonic device. Another approach 
we have used successfully is to select random words wi,W2,W3, W4 from the dictionary D and make 
up a story to associate the words with the picture (see|4]). We have found that this technique is made 
easier by: (1) limiting the size of the dictionary (e.g., only use the most 20,000 most commonly 
used words in the English language), and (2) selecting sixteen words randomly ■u)i , . . . , wig and 
giving the user the freedom to select four of these words wi, ...,W4 S {wi \ i < 16}. 




Figure 4: Scope, Invests, Slender, Sponge: Imagine a slender sponge dancing at the bottom 
of the castle, a wall street banker invests his money in the center of the castle while a sniper peers 
through his scope at the banker. 

One difficulty with this approach is that any usability guarantees rely on the user's creativity - 
the ability to construct interesting stories and associate them with the picture. Davis, et al., [30] 
proposed a similar story approach to creating passwords (without using pictures as public cues), 
but their study results showed that many users do not follow the instructions to make up a story 
to help remember their password. A person-action-object story has the advantage of not requiring 
the user to be creative and make up his own story. However, it is possible that some users might 
prefer to to generate their own stories. The advantage of this approach is that you would have to 
memorize fewer words overall. 

The public cue does not necessarily have to be a picture. Musical phrases or even videos could 
also be used as a cue to help ensure that the rehearsal and retrieval contexts are similar. It would 
be interesting to design password management schemes which use musical phrases, or even videos 
as a public cue. 
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